Last week, the folks at Yahoo informed us that 500 million users‘ details got leaked in a massive hack. On face value it just seems like yet another hack. Yahoo was downplaying the hack, but the reality is, you need to be scared (if you have a Yahoo account that is).
Companies like Yahoo! store all sorts of information about you. The most common type of information they store are your logon credentials. Basically, they need to store your username (often your email address), and your password, so they can identify who you are when you log on. Users are also very bad at remembering their passwords, so they would also record those secret questions and answers.
And this is the problem. Remember the Sarah Palin email hack? Or what about the iCloud leak of celebrity photos? These attacks occurred because the attacker was able to guess the secret answers to those pesky questions. Now for a celebrity, most of that information are public knowledge (they would have told a reporter at some interview what the name of the town was they were born), or just check out their Wikipedia page. Chances are that all the questions are there.. If someone really wants to gain access to your account, they would log onto the site, pretend to be you, say click on the “Forgot password” link, and answer the questions. Sometimes it is guessing, and now, thanks to Yahoo!, the attacker knows exactly what the answers are to your secret questions.
The real criminal minds behind these hacks, will use the data from Yahoo!, Dropbox, LinkedIn, Ashley Madison, Target, Sony, and many more, combine them, and use the data of the different profiles for extorting money or identity fraud.
It is really disappointing that Marissa Mayer did not put any focus on security. If she had, Yahoo! would have found the attack long ago, and would have been able to stop it.
If you use any system that allows your users to reset their passwords with the secret question solution, then stop using it immediately. There is no such thing as a secret question anymore. The hackers know that information already, and it is only a matter time before they gain access to your systems.
The only real solution here is to use 2 factor authentication. The downside is not all web sites really use it. Tools like Google Authenticator are free, and easily implemented in any website. You sacrifice some user convenience in the process, but the increase in security is significant.